The regulatory compliance process can be overwhelming at first. But the HITRUST common security framework (CSF) was designed specifically to streamline regulatory compliance for organizations.
Understanding Phases of HITRUST CSF & All of The Terminology
With the same intention of assisting organizations understanding HITRUST CSF certification, we have put together a HITRUST glossary. This will provide a complete list of HITRUST terminology you need to get through the various phases of HITRUST assessments and certification phases.
Definitions provided in quotation marks come directly from The HITRUST Alliance Terminology list; any other information is meant purely to provide additional information and examples for those who are new to the HITRUST compliance phases.
Goals – Risk Management & Security Compliance
“The program and supporting processes to manage information protection risk to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, and other organizations, and includes:
- Establishing the context for risk-related activities;
- Assessing risk;
- Responding to risk once determined; and
- Monitoring risk over time.”
Risk Management Framework
“A common taxonomy and standard set of processes, procedures, activities, and tools that support the identification, assessment, response, control, and reporting of risk.”
This is a guide created to facilitate efficient and effective risk management through the selection, implementation, assessment and reporting of information and privacy controls. The HITRUST processes outlined by the Risk Management Framework include four steps:
- Identifying risks and defining security requirements,
- Specify controls,
- Implement and manage controls,
- Assess and report.
HITRUST CSF Assurance Program
“The programs and systems for use of the HITRUST CSF and CSF tools in connection with data protection assurance assessments according to the standards set forth by HITRUST.”
By joining this program, organizations gain access to compliance assessments and reporting tools for HIPAA, HITECH, federal, state, and industry security requirements. Specifically, the HITRUST CSF assists organizations and their business associates with a unified approach to managing security assessments. The HITRUST CSF Assurance Program includes risk management oversight and assessment protocol customized to fit the unique regulatory and business needs of various industries.
Covered entities are individuals, organizations, and companies required to comply with privacy and security regulations protecting sensitive information. These include:
- “Health plans, healthcare clearinghouses, and healthcare providers who transmits any health information in electronic form regarding a HIPAA transaction.”
- “Any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
“A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity, but is not included in the covered entity’s workforce.”
HITRUST CSF Assessments & Scoring
Originally termed the HITRUST Common Security Framework; it’s “a framework for managing information security and privacy risks and compliance. It has become the benchmark framework for security and compliance in health care and other industries.”
HITRUST CSF combines the requirements of other existing standards and regulations, including HIPAA, HITECH, PCI, COBIT, NIST, and FTC. By unifying other regulation standards, the HITRUST Common Security Framework (CSF) makes the compliance process more efficient, clear, and cost-effective for organization and their business associates.
HITRUST CSF Assessment
“A data protection assessment provided by an assessor to organizations in accordance with the HITRUST Assurance Program.”
There are two types of CSF Assessments – readiness assessment (self-assessment) and a validated assessment. The readiness assessment can be used by companies that are preparing for certification or wish to take advantage of the standard security methodology, requirements, and tools but aren’t required to complete the validation and certification process. Which assessment is right for my organization?
This refers to the identified information assets and data flows which must be included in the HITRUST CSF assessment. The scope should be focused in on the workflows which require the use of sensitive data or PHI.
The 14 CSF control categories are high-level groupings, founded on ISO 27001 and 27002 and are comprised of the control objectives. They include: Information Security Management Program, Access Control, Human Resources Security, Risk Management, Security Policy, Organization of Information Security, Compliance, Asset Management, Physical and Environmental Security, Communications and Operations Management, Information Systems Acquisition, Development and Maintenance, Information Security Incident Management, Business Continuity Management, and Privacy Practices.
There are 46 control objectives factored into the HITRUST CSF. Each is a statement of the goal or purpose to be achieved in relation to the controls within a HITRUST CSF control category.
“The safeguard or countermeasure prescribed for an organization and/or information system(s) to protect the confidentiality, integrity, and availability of information.”
According to HITRUST CSF v9.3, there are 135 common privacy and security controls. HITRUST includes controls required by other regulatory standards, enabling organizations to use this single assessment to certify compliance with multiple requirements. During HITRUST assessments, organizations are scored according to the controls within the set scope.
“Detailed information to support the implementation of the control and meeting the control objective.”
There are three HITRUST implementation levels that describe the level of risk associated with each control. The higher the risk, the greater the control restrictiveness applied. Organizations seeking HITRUST certification must comply with at least the first level. The implementation levels include:
- Organizational Risk,
- Regulatory Risk,
- System Risk.
A risk-based approach based on organizational, regulatory and system profile information is used to determine the customized set of requirement statements that will apply to the organization undergoing assessment. In all, there are 845 requirement statements. In part, the process of identifying which requirements apply to the organization seeking certification helps determine the scope of HITRUST CSF engagement.
The HITRUST CSF maturity model, which is an evolution of the PRISMA model, is used to score readiness assessments and validated assessments. Scoring is determined according to the five basic levels: policy, process/procedure, implemented, measured, and managed.
This refers to the maturity level score for a particular HITRUST assessment control.
Control compliance must be scored during both the readiness and validated assessments according to the five levels of the HITRUST CSF Maturity Model.
During the HITRUST assessment, maturity levels are scored for each control – from 0% non-compliance to 100% compliant. The score for each control equals the sum of the products of the weight maturity model level multiplied by the maturity level rating for all the maturity model levels.
The HITRUST CSF Certification Process
HITRUST CSF Certification
HITRUST certification confirms that the organization has passed the comprehensive security evaluation and maintains compliance with relevant data loss prevention and information risk management regulations. To achieve certification, the organization must work with an authorized HITRUST external assessor and successfully complete the HITRUST CSF validated assessment. Once achieved, certification is valid for 24 months. The certification process has four main steps:
- Readiness Assessment,
- Validated Assessment,
- HITRUST Quality Assurance.
This is the first phase of the HITRUST CSF certification process. A HITRUST readiness assessment (formerly known as a self-assessment) helps an organization evaluates their own ability to comply with the controls listed in preparation for the HITRUST CSF validated assessment.HITRUST will assemble the assessment, but not perform validation of the assessment.
This is the second phase of the HITRUST CSF certification process. The objective of remediation is to identify and prioritize gaps between the organization’s current controls and the required standards. It provides valuable insight and the opportunity to improve before progressing to the validated assessment.
“An evaluation conducted against the HITRUST CSF under the CSF Assurance Program, in which the results are (i) checked for accuracy and completeness by a HITRUST Approved Assessor organization; and (ii) undergo a quality assurance review by HITRUST.”
This is the third phase of the HITRUST CSF certification process. The validated assessment involves sampling, testing, and scoring the controls within the scope, interviewing related employees, verifying documentation. The scores provided based on control maturity determine compliance.
Quality Assurance Review
“The complete set of measures and procedures used by the organization to ensure that the services provided continue to fulfill the expectations of the customer as described in relevant agreements.”
This is the fourth phase of the HITRUST CSF certification process. Completed validated assessment are submitted to HITRUST for their quality assurance review and generation of the final report.
Corrective Action Plan
Following the completion of the HITRUST assessment, during the Quality Assurance Phase, the organization is provided with a report of the assessment results. Contained in the report, it is also provided with remediation activities that should be tracked in corrective action plans (CAPs).
One year after achieving HITRUST CSF certification, organizations must pass an interim assessment to verify ongoing compliance with data security controls. After two years, certification must be re-assessed.
Because HITRUST CSF certification expires after 24 months, re-assessment serves to renew an organization’s certification status. Re-assessment verifies that the organization has maintained compliance with the required controls. A full re-assessment must be carried out every two years, or sooner if there has been a data breach or significant change in the operating environment.
The assessment and corrective action plan management platform provided by the HITRUST Alliance. MyCSF® is an Saas information risk management platform specifically designed to help organizations assess and report information risk and compliance with international, federal, and state regulations concerning privacy and security.
Roles Involved in the HITRUST CSF Certification Process
The project coordinator is an internal figure appointed by the organization undergoing HITRUST assessment. The role of the project coordinator is to lead the work team in meeting the goals and expectations set for assessment. He or she is responsible for collecting documentation, organizing interviews, and verifying participation.
HITRUST Approved CSF Assessor
“An organization that has been approved by HITRUST for performing assessments and services associated with the CSF Assurance Program and the HITRUST CSF. HITRUST Approved CSF Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with data protection control requirements and document corrective action plans that align with the HITRUST CSF.”
Authorized HITRUST assessors – like I.S. Partners, LLC. – work with organizations of all sizes and in a wide variety of industries. Ultimately, they verify compliance with security control requirements and help the organization to develop remediation plans to achieve compliance and certification.
Are certified HITRUST quality professionals (CHQP) who manage the organization and provide support as the go through the HITRUST assessment process. HITRUST Engagement Executives are responsible for the financial results of the assessment and monitoring engagement. They also review and approve the scope and test plan and check testing results.
Are CHQPs who work with the Engagement Executive and the Project Coordinator. The role of the lead includes documenting the scope, designing the test plan, identifying the sampling criteria and coordinating fieldwork. The appointed Engagement Lead also oversees testing, analyzes results, and provides documentation of the results.
Quality Assurance Reviewer
The role of this type of CCSFP (Certified Common Security Framework Practitioner) is to review the Assessor Quality Checklist and completed procedures submitted for HITRUST assessment.
I.S. Partners, LLC. – Authorized HITRUST External Assessor
Since 2016, our firm has been an authorized HITRUST external assessor working with companies – around the country – of all different sizes and complexities. We assist organizations through the entire HITRUST preparation, readiness, certification, and remediation phases of HITRUST.
Learn about our full range of services to assist you in becoming HITRUST CSF certified. Contact I.S. Partners, LLC. for more information by calling 215-675-1400 or filling out the request form below.